Re: Bind recursive queries quota.

[Thomas Cannon <tcannon () noops org>]

On Sat, 20 Jul 2002, Guanglong Zhang wrote:

> Hello Robert,
>
> Hm....??I meet the same problem of bind9 recursive queries DOS.
> Does anyone have solution?

Yes. Turn off recursive queries going to your external DNS servers. They
should only resolve domains that they serve, and junk anything else that
comes to them.

I'd also highly reccomend dumping the Buggy Internet Name Daemon and
running djbdns externally, and set up DNS caches internally and pointing
your machine at them. Not only is this a more robust solution, but djbdns
has a perfect security record. djbdns is written by Dan Bernstein, the
same person who wrote qmail. It's small, very fast, and easy to configure
and maintain. In fact, since I've set it up, I have yet to have it crash
or malfunction in any way -- something I can't say has been my experience
with BIND.

If you can't afford seperate name servers, you can still get djbdns and
dnscache on the same machine by binding to different IP addresses.

Relevant link:

http://cr.yp.to/djbdns.html

Cheers,

Thomas


> Saturday, July 20, 2002, 1:27:19 AM, you wrote:
> Robert Buckley> Howdy,
> Robert Buckley>         Does anyone have any information about exploiting binds recursive
> Robert Buckley> queries [num] limitation.
> Robert Buckley> One of our clients decided to do a very intensive WebTrends report, which (
> Robert Buckley> I assume ) had an option to do
> Robert Buckley> dns lookups. We use a Cisco pix on the border, with 2 external and 2
> Robert Buckley> internal bind 9 systems.
>
> Robert Buckley> The Cisco pix contains a feature called a DNS-GUARD that will prevent the
> Robert Buckley> same query being answered twice.
> Robert Buckley> Another words, the 1st guy to come back with the answer to a query is let
> Robert Buckley> in, anyone else is denied.
>
> Robert Buckley> Our firewall logs showed inbound denials from our two externals had
> Robert Buckley> increased 196.x times more than normal.
> Robert Buckley> AVG 400 or so to about 60 thousands plus. An investigation showed that one
> Robert Buckley> single client ( The Web Trends Guy) was slamming our internal servers with
> Robert Buckley> queries.
> Robert Buckley> Our logging on our dns servers showed.  Client Recusive Queries Quota
> Robert Buckley> Reached.
>
> Robert Buckley> According to some research we've done, a bind server will stop answering
> Robert Buckley> queries if it has the default value of 100 unanswered queries in memory.
> Robert Buckley> Of course this value can be increased via an option. It seemed to me that
> Robert Buckley> this type of abuse from the webtrends app, nearly caused a denial of service
> Robert Buckley> on our dns.
>
> Robert Buckley> IMO, it would be trivial to write something to to ask 100 bogus queries that
> Robert Buckley> dont get answered in time.
> Robert Buckley> Anyone have a similiar experience or security information on this?
>
>
>
>
>
> --
> James Zhang
> Manager,T.S.Dept. Marsec System     Mobile: 13910526162
> Office: +8610-88087212-3004         FAX: +8610-88087300
> Http://www.babygoal.com             Email: glzhang () 8848 net
> PGP Public key:
> ftp://ftp.babygoal.com/pub/pgpkey/glzhang.8848.net.asc

"No brain, no headache"